as a post-mortem :-) rcpt changed the mta-sts policy file but did not update the DNS TXT record (especially the id value). So it's fully according to policy discovery behaviour specified in RFC 8461 (https://datatracker.ietf.org/doc/html/rfc8461#section-3) that a mta- resolver should not check for a new policy file if id in DNS does not change:
> To discover if a recipient domain implements MTA-STS, a sender need > only resolve a single TXT record. To see if an updated policy is > available for a domain for which the sender has a previously cached > policy, the sender need only check the TXT record's version "id" > against the cached value. Again a good argument for "mta-sts" is stupid and DANE should always be preferred :-) Cheers tobi On Tue, 2024-12-10 at 14:30 +1100, Viktor Dukhovni via Postfix-users wrote: > On Mon, Dec 09, 2024 at 04:29:54PM +0100, Tobi via Postfix-users > wrote: > > > Finally found it :-) RCPT domain changed not long ago from Gmail to > > Microsoft and uses mta-sts. Out mta-sts resolver still had the > > policy > > for gmail, therfore the delivery to Microsoft could not be > > verified. We > > just deleted the policy for gmail from our mta-sts resolver and now > > it > > has the correct policy for Microsoft. > > > > Thanks @Victor for your support > > You're quite welcome. Nice to see that the problem analysis and > solution making sense. :-) > > -- > Viktor. > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
